When the US government issued its Cloud First policy five years ago, data security was at the top of every government agency’s list of concerns. Given the high level of security that government agencies required, would data in the cloud be as secure as in well-established on-premises systems?

Azure Government to be awarded FedRAMP High

Today in Washington, DC, I confirmed that Azure Government was one of the cloud service providers selected to participate in the FedRAMP High Pilot to build the High Impact Baseline. We completed the pilot process and successfully submitted for a High Impact Provisional Authority to Operate (P-ATO) for our Azure Government environment. We anticipate signature of our P-ATO by the end of the month. This is the highest impact level for FedRAMP accreditation.

Up until this point, federal agencies could only migrate low and moderate impact workloads. Now, Azure Government has controls in place to securely process high-impact level data—that is, data that, if leaked or improperly protected, could have a severe adverse effect on organizational operations or, assets, or individuals.

Matt Goodrich, director for FedRAMP’s Program Management Office at the U.S. General Services Administration, affirmed the significance of this news, saying,

“The creation of the FedRAMP High Security Baseline is essential in allowing agencies to migrate more high-impact level data to the cloud. Selecting Microsoft Azure Government to participate in FedRAMP’s High Impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP JAB are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”

Building on the successful FedRAMP High pilot completion, Azure Government is on track to achieve DISA Impact Level 4 authorization shortly. Impact Level 4 data refers to unclassified data that requires protection against unauthorized disclosure as established by Executive Order 13556 or other mission-critical data. It may, for example, include data subject to export control, privacy or protected health information, or other data designated as For Official Use Only, Law Enforcement Sensitive, or Sensitive Security Information. This authorization enables our US federal government customers to deploy CUI on in-scope Azure Government services.

Microsoft is establishing two new physically isolated Azure Government regions for Department of Defense and DISA Impact Level 5

To further extend our commitment to providing high levels of security controls and compliance required for government data, Azure Government is adding two new regions for US Department of Defense data, designed to meet DISA Impact Level 5. A first of their kind, these regions, to be designated US DoD East and US DoD West, are architected to meet stringent DoD security controls and compliance requirements, and will be specifically dedicated to DoD workloads and data at Level 5.

Impact Level 5 data includes CUI that requires a higher level of protection, including that of unclassified National Security Systems. It can only be processed in a dedicated infrastructure that ensures physical separation of DoD customers from non-DoD tenants. These new DoD regions will be designed to meet specific controls and commitments defined in the DoD Cloud Computing Security Requirements Guide (SRG) that require the specific engineering controls in place for data permitted to be stored in the cloud. Availability of these new regions is planned for later this year.

A prime example is the ability of Azure Government to help customers meet the FBI’s Criminal Justice Information Services (CJIS) database security and encryption requirements. This enables governments, from local to federal, to store and process critical criminal justice information (CJI), such as fingerprint records and criminal histories, in the cloud.

As a CJIS-capable platform, Microsoft works directly with state departments of justice and law enforcement agencies at the state and local levels to sign the FBI CJIS Addendum, with sixteen states, covering more than half of the US population signed to date. Based on public announcements, that’s at least fifteen more states than the next closest cloud provider. Police departments from California to South Carolina see this compliance as being critical to their adoption of Azure Government:

“Azure Government supports the CJIS framework, and that was a huge reason we chose this solution,” says Tony Elder, deputy chief of the Charleston Police Department.

Microsoft Azure was the first hyper-scale cloud platform to comply with mission-critical compliance programs like CJIS, and now proudly offers an industry leading portfolio of compliance certifications and attestations with 35.

Azure Web Apps provides a scalable platform for building and managing powerful web applications in Azure Government. The service features rich application framework support for 32-bit and 64-bit web apps using .NET, php, python, node.js and Java. You can scale your site on-demand with Azure’s auto-scaling, help secure your web apps with full support for both SNI SSL and IP-based SSL, stage new code changes into production using deployment slots, monitor your apps with endpoint monitoring and alerting, and periodically backup your apps for peace of mind.

There is now expanded support for Azure Government customers with a new series of virtual machine (VM) sizes for Azure Virtual Machines and web/worker roles. The D-Series sizes offer up to 112 GB in memory with compute processors that are approximately 60 percent faster than our A-Series VM sizes (relative to the A1-A7 VM sizes). Even better, these sizes have up to 800 GB of local solid-state drives (SSDs) for blazingly fast disk read/write. The new sizes offer an optimal configuration for running workloads that require increased processing power and fast local disk input/output (I/O). These sizes are available for both Virtual Machines and Azure Cloud Services. In Azure Government, this expanded support houses all customer data, applications, and hardware in the continental United States.

Azure Site Recovery provides Azure Government customers with full-featured disaster recovery that is simple, and provides automated protection and replication of your physical and virtual environment. The addition of Site Recovery as part of our Azure Backup and disaster recovery features help meet Azure Government customers’ security rigor and requirements, as well as help meet your hybrid cloud objectives. More updates will become available in the near future as we enable physical Linux and VMWare Linux VM replication scenarios to Azure Storage and/or a secondary datacenter for Azure Government.

Azure Automation enables Azure Government users to automate manual, long-running, error-prone, and frequently repeated tasks that are commonly performed in a cloud environment. You can create, monitor, manage, and deploy resources in your Azure Government environment using runbooks, which are based on Windows PowerShell workflows. Automation runbooks work with Azure Web Apps for Azure App Service, Azure Virtual Machines, Azure Storage, Microsoft SQL Server, and other popular Azure Government services. You can also use them with any service offering public Internet APIs. By efficiently handling processes that span tools, systems, and department silos, Automation lets you deliver services faster and more consistently. It’s highly reliable and you can create checkpoints to resume your workflow after unexpected errors, crashes, and network issues.

Azure Backup helps enable backups of your Azure Government infrastructure as a service (IaaS) VMs. This can help Azure Government customers in state, local, federal, civilian, and defense, plus more than 100 solution partners with dedicated government practices, to leverage the cloud for critical business needs by backing up their assets on the cloud. We also enabled Microsoft Azure Backup Server, a feature of Azure Backup, to protect workloads to disk and cloud, for all Azure Government customers. You can leverage this Microsoft Azure Backup server to back up your key Microsoft workloads like SQL, SharePoint and Exchange to Azure Government.

Azure Role-Based Access Control: Preview with PowerShell

Azure Role-Based Access Control (RBAC) for Azure Government can be managed using PowerShell and Command-Line tools. Azure RBAC enables fine-grained access management for Azure. Using Azure RBAC, you can segregate duties within your DevOps team and grant only the amount of access to users that they need to perform their jobs. Securing key management roles is essential to protecting government data in the cloud.

Continuing our investment in the future of government

By 2018, increased security will displace cost savings and agility as the primary driver for government agencies to move to public cloud within their jurisdictions*. At Microsoft, we are steadfast in our commitment and investments to deliver a Cloud for Government that meets those stringent requirements. Customers like Rick Smith, CEO, TASER, are confirming these investments with their cloud platform choices.

“Microsoft, when we did the final analysis for this market sector, is good for government compliance and in helping us in organizations that have compliance issues. They also have deep relationships. It is a great partnership and we’re excited to keep working with them.”

We listen to feedback, offer choice and will continue making the investments required to deliver the most Trusted Cloud for Government.

*Predicts 2016: Government Continues to Adapt to the Digital Era, Gartner, December 2, 2015.

This blog post contains forward looking statements regarding future operations, product development, product capabilities and availability dates. These statements are based on current expectations and assumptions that are subject to risks and uncertainties. This information is subject to change at any time without prior notification.